Text version: 1.00
General information on Windows
 |
Windows is a proprietary operating system from Microsoft. Currently Windows is one of the most popular OS. According to various sources, there are over 90% PCs running on various versions of this OS worldwide.
Thumbs.db files
 Windows Explorer in Windows XP |
Windows OS comes with a variety of preinstalled programs. One of these applications is a file manager known as Windows Explorer. This program is used by a considerable percent of users, though its functionality is not rich.
Windows Explorer offers several modes to display files. One of them is the thumbnail mode, in which directories and files are displayed as thumbnails. Windows Explorer is fairly intellectual and enters the thumbnail mode automatically when the user views a directory with a large percentage of graphic and video files. Starting with Windows ME and onwards to Windows XP, displayed thumbnails are automatically saved to Thumbs.db files. Although Windows Vista and Windows 7 have their own centralized databases of thumbnails, Thumbs.db is still used for caching network disks on operating systems, starting with Windows Vista SP1.
It’s worthy of note that Thumbs.db can be created not only by request of Windows Explorer. Any application, making use of particular interfaces of Windows OS, can initiate saving thumbnails to Thumbs.db.
Peculiarities of Thumbs.db files
Thumbs.db files are always saved to the cached directory itself. Thumbs.db is a hidden file. To see Thumbs.db, the user needs to enable “show hidden files and folders” in a file manager.
 File thumbnail from Thumbs.dbcreated on Windows 2000 |
 File thumbnail from Thumbs.dbcreated on Windows XP |
 File thumbnail from Thumbs.dbcreated on Windows Vista |
The system saves thumbnails to Thumbs.db not only for standard graphic files but also for files that correspond to a particular registered extension of the shell that realizes the IExtractImage interface. On Windows Vista and above, the system saves thumbnails to Thumbs.db for files that correspond to the registered extension that realizes the IThumbnailProvider interface. Besides creating thumbnails, these extensions need to be set to allow saving.
The typical list of extensions in Windows OS is presented below:
| Extension name | Extension file | File extensions |
| GDI+ средство извлечения эскизов файлов | %SYSTEM%\shimgvw.dll | BMP, DIB, EMF, GIF, ICO, JFIF, JPE, JPEG, JPG, PNG, RLE, TIF, TIFF, WMF |
| Video Thumbnail Extractor | %SYSTEM%\shmedia.dll | ASF, ASX, AVI, MPE, MPEG, MPG, WMV |
| Извлечение эскизов HTML (this extension was discontinued in Windows XP SP1) |
%SYSTEM%\thumbvw.dll | EML, HTM, HTML, MHT, MHTML, NWS, URL, XML |
| Объект управления каналом | %SYSTEM%\cdfview.dll | CDF |
| Ярлык | %SYSTEM%\shell32.dll | LNK |
Many applications add their own extensions. For example:
| Application | Extension name | Extension file | File extensions |
| Adobe Illustrator | %PROGRAM_FILES_COMMON%\Adobe\Shell\AIIcon.dll | AI | |
| Adobe Acrobat | PDF Shell Extension | %PROGRAM_FILES%\Acrobat\ActiveX\PDFShell.dll | |
| EasySIGN | ES32 ShellExtension | %PROGRAM_FILES%\EasySIGN\V05 DEMO\Archive.dll | ECA, ES, EST, ESW, IO, MA |
| Paint.NET | Paint.NET Shell Extension | %PROGRAM_FILES%\Paint.NET\ShellExtension_x86.dll | PDN |
| Paint Shop Pro | PSPThumbExtractor Class | %PROGRAM_FILES_COMMON%\Corel\PSPThumbShellExt\PSPThumbShellExt.dll | PSP, PSPFRAME, PSPIMAGE, PSPSHAPE, PSPTUBE, TUB |
| Microsoft XPS Document Writer | Windows XPS Document Thumbnail Handler | %SYSTEM%\XPSSHHDR.DLL | DWFX, JTX, XPS |
| Microsoft Office | Обработчик эскизов итоговых сведений (DOCFILES) | %SYSTEM%\shimgvw.dll | DOC, DOT, FPX, MIC, MIX, MPP, OBD, OBT, POT, PPT, XLS, XLT |
| Microsoft Office | Microsoft Office Thumbnail Handler | %PROGRAM_FILES_COMMON%\Microsoft Shared\OFFICE12\msoshext.dll | ACCDT, DOCM, DOCX, DOTM, DOTX, POTM, POTX, PPAM, PPSM, PPSX, PPTM, PPTX, THMX, XLAM, XLSB, XLSM, XLSX, XLTM, XLTX |
On Windows Vista and Windows 7, thumbnails are saved with a maximum size of 256x256 pixels.
Besides file thumbnails, Thumbs.db files are also used to save directory thumbnails on the systems below Windows Vista. A directory thumbnail is saved to Thumbs.db in the directory itself, i.e. if the user is viewing the directory C:\Dir and there is a subdirectory Subdir in it, the thumbnail of the subdirectory Subdir is saved to file C:\Dir\Subdir\Thumbs.db. The thumbnail is created only if the directory contains at least one file that the thumbnail can be created for. The directory thumbnail is an image of the folder with miniature file thumbnails from this directory on top. The miniature file thumbnails can be from one to four depending on the number of files. The directory thumbnail is always saved under the name "{A42CD7B6-E9B9-4D02-B7A6-288B71AD28BA}".
 Directory thumbnail from Thumbs.db |
In addition to thumbnails, Thumbs.db also contains a filename and modification data of a file/directory. On different versions of Windows OS, a filename and path to it are saved differently:
| Version | Windows ME | Windows 2000 | Windows XP | Windows 2003 | Windows Vista | Windows 2008 | Windows 7 |
| Path | + | + | - | - | - | - | - |
| Filename | + | + | + | + | - | - | - |
| Filename hash | - | - | - | - | + | + | + |
On Windows 7, modification data is not saved to Thumbs.db.
Windows does not synchronize the real file system and content of Thumbs.db files. This is why the file thumbnail is not deleted in Thumbs.db if the file is deleted.
Peculiarities of saving thumbnails in Windows 2000
If the cached directory is on disk that has been formatted in NTFS, file thumbnails are saved not to Thumbs.db but alternative data streams of the files themselves, which do not exist in FAT.
Registry settings that have impact on creation of thumbnails and their saving to Thumbs.db
On Windows Vista and Windows 7:
| Part | Key | Type | Description |
| HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | DisableThumbsDBOnNetworkFolders | REG_DWORD | Saving thumbnails to Thumbs.db Values: 0-allowed 1-disallowed Default value is 0 |
On Windows XP:
| Part | Key | Type | Description |
| HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | DisableThumbnailCache | REG_DWORD | Saving thumbnails to Thumbs.db Values: 0-allowed 1-disallowed Default value is 0 |
| HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer | ThumbnailSize | REG_DWORD | Maximal width and height of a thumbnail Possible values: 32-256 Default value is 96 |
| HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer | ThumbnailQuality | REG_DWORD | Thumbnail quality Possible values: 50-100 Default value is 90 |
Thumbs.db file forensic analysis
Programs allow to view content of thumbnail cache files created by Windows (thumbs.db):
ThumbnailExpert
ThumbnailExpert is a unique application for forensic examination of thumbnail cache files created by different programs that deal with multimedia content. These programs include image viewers, video editors, file managers, software for mobile phones and many others. ThumbnailExpert is a fully automated application that does not require deep knowledge of examined files, their structure and location. The program can find and decode files on its own. Retrieved data can be exported or used to create a comprehensive report. ThumbnailExpert is an indispensible utility for complete and quality forensic examination.
| Forensic version: | Read more | Download demo | Buy now | |
| Professional version: | Read more | Download demo | Buy now | |
| Lite version: | Read more | Download demo | Buy now |
dec Windows Thumbnail Database Viewer
dec Windows Thumbnail Database Viewer is a forensic application designed to help users view and extract data from such files as Thumbs.db, thumbcache_idx.db, thumbcache_1024.db, thumbcache_256.db, thumbcache_96.db, thumbcache_32.db, IconCache.db, ShellIconCache. These files are created by the family of Microsoft Windows OS, including Windows 7. The program can also extract data from ehthumbs_vista.db, ehthumbs.db, Image.db, Video.db, TVThumb.db, created by different versions of Windows Media Center. The program searches for above mentioned files in a storage device, extracts thumbnails and related metadata from found files and creates a report on the content of found files. dec Windows Thumbnail Database Viewer can be used for forensic examination and recovery of lost images from copies.
| Read more | Download demo | Buy now |
decThumbsDBViewer
The plugin for Total Commander that allows users to view and extract content of thumbnail cache files created by Microsoft Windows (Thumbs.db, thumbcache_idx.db, thumbcache_1024.db, thumbcache_256.db, thumbcache_96.db, thumbcache_32.db, IconCache.db and ShellIconCache), Windows Media Center (ehthumbs_vista.db, ehthumbs.db, Image.db, Video.db and TVThumb.db) and Total Commander (tcthumbs.db and tcthumbs.idb). The plugin allows saving any thumbnail or all thumbnails simultaneously to the hard disk drive. It’s also possible to copy thumbnails to clipboard.
| Read more | Download demo | Buy now |
